A Decision Tree Learning Approach for Mining Relationship-Based Access Control Policies
share
Relationship-based access control (ReBAC) provides a high level of expressiveness and flexibility that promotes security and information sharing, by allowing policies to be expressed in terms of chains of relationships between entities. ReBAC policy mining algorithms have the potential to significantly reduce the cost of migration from legacy access control systems to ReBAC, by partially automating the development of a ReBAC policy. This paper presents a new algorithm, based on decision trees, for mining ReBAC policies from access control lists (ACLs) and information about entities. The algorithm first learns an authorization policy in the form of a decision tree, and then extracts a set of candidate authorization rules from the decision tree. Next, it constructs the final mined policy by eliminating negative conditions from the candidate rules and then simplifying them. Compared to state-of-the-art ReBAC mining algorithms, DTRM is simpler, significantly faster, achieves similar policy quality, and can mine policies in a richer language.
READ FULL TEXT